Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

 



Forgot your password?
typodupeerror
×
Worms Security Government The Courts News IT

Zotob and Mytob Worm Authors Arrested 363

An anonymous reader writes "The Washingtonpost.com is reporting that two men have been arrested for allegedly authoring and releasing the "Zotob" and "Mytob" worms. The first Zotob, released Aug 14 - just 4 days after Microsoft released a fix for the hole it exploited, infected systems at many major news outlets. Mytob remains one of the most pervasive worms on the 'Net today." From the article: "Moroccan authorities, working with the FBI, arrested Farid Essebar, 18, a Moroccan national born in Russia who went by the screen moniker 'Diabl0.' Arrested in Turkey was Atilla Ekici, aka 'Coder,' age 21. Both individuals will be subject to local prosecutions, the FBI said." Update: 08/26 20:56 GMT by Z : Nana Mous wrote to mention an eWeek blow by blow account of Microsoft's response to the worm. Very interesting read.
This discussion has been archived. No new comments can be posted.

Zotob and Mytob Worm Authors Arrested

Comments Filter:
  • Informative link: (Score:5, Informative)

    by TripMaster Monkey ( 862126 ) * on Friday August 26, 2005 @03:21PM (#13410710)
    In the interest of stimulating more informed discussion, here is a link [prnewswire.co.uk] to a press release from Microsoft commending the Turkish and Moroccan authorities, as well as the FBI, for their prompt arrest of the suspects.
  • by zetes ( 110457 ) * on Friday August 26, 2005 @03:21PM (#13410714)
    Atilla, you don't need a cool alias - you already have one!
  • Both individuals will be subject to local prosecutions, the FBI said.

    In other words, a few horse heads will show up in some beds, some vague threats made, and they'll get off with no punishment.
    • You must be unfamiliar with legal systems in third world countries. Execution is a very real possibility. Severe beatings and years in a miserable prison are likely.
      • > You must be unfamiliar with legal systems in third world countries. Execution is a very real possibility. Severe beatings and years in a miserable prison are likely.

        Worm/virus authors are one notch above spammers. (They're only one notch above spammers because, unlike spam, I've never been hit with one.)

        In other words - you're making the original poster's point. Spending their time locked into a cell with nothing but a bucket of their own feces for dinner, beaten regularly, and after a few month

      • The USA, proud member of the first world, is in the top ten for executions with such exemplary second world nations as Belarus and China.
  • by tont0r ( 868535 ) on Friday August 26, 2005 @03:24PM (#13410741)
    what would someone that age get out of releasing something that would cost so much damage?? i realize you get the whole '3Y3 PWN3D J00R 4SS' effect, but still.

    and also, i guess this shows more than russia has some awesome programmers :)

    last tid bit:
    Moroccan authorities, working with the FBI, arrested Farid Essebar, 18, a Moroccan national born in Russia who went by the screen moniker "Diabl0."
    who the hell uses the term 'screen moniker'??
  • Coder?? (Score:2, Insightful)

    by wasted time ( 891410 )
    Wouldn't using Atilla as a screen name earn a bit more respect than Coder?

    http://www.hyperhistory.net/apwh/bios/b3atilla_p1d z.htm [hyperhistory.net]
  • by Anonymous Coward on Friday August 26, 2005 @03:25PM (#13410745)
    removing their virii and others as well as great software such as CoolWebSearch and their ilk all day EVERYDAY of their sentence.
    • removing their virii and others as well as great software such as CoolWebSearch and their ilk all day EVERYDAY of their sentence.

      Too lenient. How about they get wired up to some slashdot server and are delivered a slight electric shock every time some idiot writes "virii?" Two shots for "cracker" every time it is not used in the context of edible wafers.

      Now, THAT's script-kiddie rehab!
    • I wonder what would be a fitting punishment for someone who uses the nonsense word "virii"

      THERE IS NO SUCH WORD AS VIRII.
      THERE IS NO SUCH WORD AS VIRII.
      THERE IS NO SUCH WORD AS VIRII.

      Keep reading it, and try to let it sink in.
  • by bl968 ( 190792 ) on Friday August 26, 2005 @03:25PM (#13410758) Journal
    If I was either of the two suspects I would be crying my eyes out and demanding to be tried and jailed in the US instead of the "Local prosecution". Their best jails would likely not come up to the level of our worst.
    • Joey, have you ever been in a Turkish prison?
    • by Anonymous Coward
      > Their best jails would likely not come up to the level of our worst.

      Welcome in Guantanamo !
    • I'm not sure what information you are basing that on, could you clarify? I know ./ers will accuse me of anti-americanism but you are just assuming.
      According to a quick Google on the (ever reliable) internet, there are political prisoners in the US, there is torture going on (not only Abu Graib and Guantanamo, see http://www.historiansagainstwar.org/resources/tor t ure/brucefranklin.html [historiansagainstwar.org] ) and there are also doubts on whether you can get a fair trial: it's often advised to expelled suspects that in their ow
    • by Khalid ( 31037 ) on Friday August 26, 2005 @04:43PM (#13411509) Homepage
      Well moroccan prisons are certainly not five stars hotels, but I am pretty sure that it's much much more confortable for this guy to have it's trial in his home country rather than in the US nowdays with all the terrorist paranoia going in this country.

      I am a Moroccan national, and I have partically renounced travelling to the US after all the horrors stories people I know have told me they have faced in US airports.

      Morocco is not really a democratic country (yet), but things are slowly evolving in the good way and nothing similar to Abu Ghraib or Guantanamo has happened lately in Morocco, since Tazmamart which was really horrible for those who have heard about it.
  • by dotpavan ( 829804 ) on Friday August 26, 2005 @03:26PM (#13410768) Homepage
    they had apparently commented the code: //.. @uthors: Farid Essebar, Atilla Ekici
  • It's a real shame (Score:5, Insightful)

    by saskboy ( 600063 ) on Friday August 26, 2005 @03:29PM (#13410798) Homepage Journal
    It's a shame that these idiot kids can't make a program that every computer [that runs Windows anyway] could use, and then when they get the urge to explot a Windows hole, they'd have a payload that would do more than cause reboots and crashes, and could do something useful like calculate something for medical science, patch the hole they exploit without doing damage, or play a podcast with a good message.

    ANYTHING. The lack of creativity in today's vandals is just pitiful.
    • ANYTHING. The lack of creativity in today's vandals is just pitiful. Amen to that. Of course, if worm authors only wrote worms that patched holes and caused no ill effect, they wouldn't be able to brag to their kiddie friends that "I took down half the internet!!!" In addition, I'm afraid of what the Microsoft corporate reaction would be. Officially, they can't condone it, especially if the hole-patching worm didn't work properly (remember a couple years ago?). But it might make them a bit more laxadai
    • by TripMaster Monkey ( 862126 ) * on Friday August 26, 2005 @03:37PM (#13410903)

      I'm still waiting for the virus that infects systems through vulnerabilities in IE or Outlook/OE, then:
      • Installs Firefox
      • Configures it to be the default browser
      • Imports the IE favorites to the bookmarks,
      • Edits the registry to disable IE as much as possible
      • Installs Thunderbird
      • Configures it to be the default email client
      • Imports contents of Outlook and OE address book to Thunderbird
      • Uninstalls Outlook Express and OE
      • Deletes itself
      The writer of this 'virus' should get a frickin' medal.
    • by unsigned integer ( 721338 ) on Friday August 26, 2005 @03:40PM (#13410929)
      Reminds me of the DOS 'Pac Man' virus ... everytime you typed a '.', a little pac-man would run out and eat it. It cracks me up everytime I think about it for some reason. Why don't we have some viruses that act more as 'creative grafitti', rather that pure tools of spam and DDoS slaves? If they are relatively benign enough, I could picture letting them run on my computer for kicks. :-)

      Happy Birthday, Joshi.

      • Why don't we have some viruses that act more as 'creative grafitti'

        We do still have these. They're called freeware or shareware. You'll find them on websites all over the place. Most of the time they come with hidden surprises too!
    • The lack of creativity in today's vandals is just pitiful.

      Not that yesterday's vandals were any less pitiful.
  • by GecKo213 ( 890491 ) on Friday August 26, 2005 @03:31PM (#13410816) Homepage

    I think it's interesting that when these worms were originally introduced, and started first infecting machines, how the media made such a big deal about how quickly after the security hole was announced the worm was unleashed. I find it a bit more interesting the speed with which law enforcement is able to nab the creator of such programs. It used to be, "We don't know where in the hell to start!" to now it's more like "When can we pick this person up and how are we going to prosecute them here or there."

    Just my thoughts.
  • Quick question. (Score:5, Insightful)

    by mctk ( 840035 ) on Friday August 26, 2005 @03:31PM (#13410821) Homepage
    How on earth do they find these people?
    • Re:Quick question. (Score:5, Informative)

      by Anonymous Coward on Friday August 26, 2005 @03:40PM (#13410932)
      from TFA they tried to run a bankcard scam with info they obtained from compromised machines.
    • Re:Quick question. (Score:2, Informative)

      by GecKo213 ( 890491 )

      1) They very stupidly could have launched the worm from their own computer rather than a public computer say 50 miles away in a library somewhere.

      2) They could have run the program when they compiled it for the final time by doing a compile and run versus just compile.



      It's always something like that happens when these guys get busted. They get comfortable and forget to do something that they needed to cover their tracks due to lack of extreme paranoia.
    • Or they bragged about how 133t they were to the wrong people, and someone decided to turn them in to try and pick up the Microsoft bounty.
    • Re:Quick question. (Score:2, Informative)

      by camcorder ( 759720 )
      Authors of that worm was using infomation stored on victims' computers for bankcard forgery. According to what I read from local news, Atilla guy was caught because he was moving money from victims' bank accounts to another account.

      With such a connection to accounts, it's not a rocket science to catch writers. I think Turkish guy thought Turkey is heaven to do such things without any kind of anonymity in Turkey but evidently he was wrong.
  • AKA Coder? (Score:2, Funny)

    by rokka ( 631038 )
    Oh my god, does this kid suffer from a lack of imagination or what?!
  • by Rosco P. Coltrane ( 209368 ) on Friday August 26, 2005 @03:32PM (#13410834)
    The worm also is thought to have temporarily disabled the systems that the U.S. Department of Homeland Security uses to screen airline passengers entering the United States.

    Oh so the airport screening machines are on the internet, are they? I feel safer in the hands of people as competent as the DHS already...

    Or more likely, this is just another piece of DHS propaganda designed to enphasize how dangerous those virus writers are. So dangerous they can disable our precious airport security systems! Terrorists!!
    • by freshman_a ( 136603 ) on Friday August 26, 2005 @03:42PM (#13410954) Homepage Journal

      Oh so the airport screening machines are on the internet, are they?

      Or more likely, someone brought in an infected laptop and connected it to the network...

      Not that it's a much better situation, but just because a computer (or network) has a virus on it, does not mean it's on the internet.
    • Oh so the airport screening machines are on the internet, are they? I feel safer in the hands of people as competent as the DHS already...

      Or more likely, this is just another piece of DHS propaganda designed to enphasize how dangerous those virus writers are.

      "Never attribute to malice that which is adequately explained by stupidity."

    • Systems like that do have to be integrated with each other, and they need updates. You can either lay brand-new cable (and make sure that nobody physically hacks into it) or you can re-use the existing infrastructure.

      The latter is a hell of a lot cheaper. And it's effective if you restrict what sorts of programs are used on the computer. Like there's no reason for these to have had port 445 open in the first place. (It's a hell of a lot easier to control open ports with Linux than with Windows.)

      Restrict
    • by erroneus ( 253617 ) on Friday August 26, 2005 @04:04PM (#13411187) Homepage
      I have a hard time believing that they disabled any of the screening machines. I have operated most of the machines in use (a year ago anyway) and while the larger machines use Windows as the console, the machines themselves use Unix variants inside. The smaller machines are Unix variants on the console as well.

      I can't speak for airports other than the one I worked at, but while the machines were capable of being networked, I saw no indication that they were actively used as anything but stand-alone machines. (That's not to say they weren't... just that I saw no indication of it.) To me it means that these machines aren't likely to have been infected unless a technician connected a laptop to it and inadvertently infected one. As much as I would like to bad-mouth DHS and the TSA, I can't in this area -- it just doesn't seem likely to me.

      Now that said, I know all of their office systems are Windows and could have been vulnerable. But again, the systems at the airport I worked didn't have much in the way of network connections (most of the time, no network connection at all). So again, I don't think airport systems, administrative or operational were vulnerable to network infection. ...if I were recognised as even a little bit valuable to their operation from a network-security standpoint, I might have tried to make my career there, but alas, they only wanted me as a screener... (If you want to get promoted in the DHS, it's best if you are either non-white or female... bonus if you're both!) I guess this might be true of just about any government job but it really left a bitter taste behind with me.... oh well... enough off-topic complaints.
  • by Futurepower(R) ( 558542 ) on Friday August 26, 2005 @03:33PM (#13410839) Homepage

    It is interesting that the U.S. government's FBI agency has become a world-wide police force.

    --
    Trying to make one book explain all of life makes some people crazy enough to kill.
  • by newsblaze ( 894675 ) * on Friday August 26, 2005 @03:33PM (#13410844) Homepage Journal
    Microsoft Assisted Worm Investigation [interestalert.com] Microsoft's Internet Crime Investigations Team supported the investigation with law enforcement immediately following the release of the two worms. Microsoft provided technical information and analytical support to the FBI on this case, which was then shared with Moroccan and Turkish authorities.
    • Actually, if MS wanted to branch out to new markets, this would be a good place to start. Start a hacking/virus investigative branch and sell your services in tracking down the little bastards that write these worms/viruses.
  • Why don't the worms actually do something really destructive, like erase partition tables or cause irreversible damage?

    That, to me, would seem like the choice route.. instead they're mild "blah blah, I will infect you and do nothing but infect others" apps.

    Shame..
    • Ah, but you see, without the replication, the worm is nothing. I don't think worm-writing is so much about [i]causing damage[/i] as it is about [i]bragging rights[/i]. So there's little point in going through the extra effort to add in the destructive payload.
      • i dunno, I think one that wiped command.com off of the c:\ would be awesome. That way, all win98, win95, winme, win98se, etc would die.

      • So there's little point in going through the extra effort to add in the destructive payload.

        The kid that wiped out 75% of America's computers would pretty much be (in)famous forever. You don't think that's an attraction? I'm amazed it hasn't happened already.

    • Like in real life virii do not need to be too destructive to be successfull. If the carriers die off too soon there is no propagation.
      • If the carriers die off too soon there is no propagation.

        Key phrase: too soon. Imagine a worm that replicated for a day or so before cleaning house. It would spread almost as quickly as non-limited worms, but would inflict far, far more damage.

    • Re:I don't get it... (Score:3, Informative)

      by arkhan_jg ( 618674 )
      Because
      a) that would slow the rate of infection, and it's lifetime (I still see the odd laptop infected with blaster)

      b) an infected machine they can pull credit card numbers off of (which they did in this case) or send spam with, is much more valuable to writers these days than just killing it.
  • the virii in hackers [imdb.com] were a lot more fun. best quote ever:
    GUY: SIR! WEVE GOT A COOKIE MONSTER!
    other guy: TYPE COOKIE YOU IDIOT!
  • Both individuals will be subject to local prosecutions, the FBI said.

    Hope that includes torture.

  • Funny Logic ... (Score:3, Insightful)

    by joelsanda ( 619660 ) on Friday August 26, 2005 @04:14PM (#13411264) Homepage

    How is this wrong? People like this are keeping software developers on their toes. I say good on them...

    Couldn't you make the same case for people shooting cops or driving drunk? In the first case it will spur body armor manufacturers to create more effective armor. In the later it may lead to safer cars?

  • Easy targets missed (Score:2, Interesting)

    by supra ( 888583 )
    I was reading a dated (2004) article comparing security on Windows and Linux. In it, they point out that Windows is not on the Top-50 list of highest uptimes. I recently visited the list ( http://uptime.netcraft.com/up/today/top.avg.html [netcraft.com]) and noticed that Windows does indeed have a few entries.
    But, no Windows machine should have an uptime of more than ~6 months as all MS updates require a reboot. And the Netcraft list contained Win2k machines w/ 4+ yrs uptime! That means they should be ripe for the pic
  • by tktk ( 540564 ) on Friday August 26, 2005 @04:16PM (#13411275)
    ... it includes the use of a very specific, high-priority subject line to make sure the mail is read by the senior executives.

    Damn, now I want to know what that subject line says...

  • by Anonymous Coward

    The "Executive e-mail" is a key part of the response process, and it includes the use of a very specific, high-priority subject line to make sure the mail is read by the senior executives.

    Unfortunately for Microsoft, and fortunately for us, that very specific, high priority subject line has been leaked:

    Subject: 0H! fuX0R!! w3 g0t pWN3D!!!!11zored
  • Don't e-mail your crimes.

    That's why we can't find Osama.

Don't tell me how hard you work. Tell me how much you get done. -- James J. Ling

Working...